Developing Compliance Policies and Procedures

Compliance policies and procedures form the operational backbone of any structured compliance program, translating abstract regulatory obligations into specific, enforceable internal rules. This page covers the definition and scope of compliance policies and procedures, the process for developing them, the scenarios in which they apply, and the decision boundaries that separate policy types. Organizations across healthcare, finance, environmental management, and workplace safety rely on well-constructed policy frameworks to demonstrate good-faith compliance efforts to regulators such as the Department of Justice, the Securities and Exchange Commission, and the Department of Health and Human Services.

Definition and scope

A compliance policy is a formal, written statement that defines an organization's position on a specific legal or regulatory requirement and establishes expected conduct. A compliance procedure is the operational counterpart — a step-by-step instruction set that tells employees and managers how to implement the policy in practice. These two instruments are distinct but interdependent: a policy without a procedure lacks enforceability, while a procedure without a policy lacks the authoritative basis that regulators look for during audits and investigations.

The scope of compliance policies extends across the full range of an organization's regulated activities. The U.S. Department of Justice, in its Evaluation of Corporate Compliance Programs (updated 2023), treats the existence and quality of written policies as a primary indicator of program effectiveness. Specifically, DOJ prosecutors examine whether policies are "well-designed," whether they have been implemented in practice, and whether the organization can demonstrate ongoing monitoring of those policies.

Compliance policies can be classified into three broad categories:

1. Enterprise-wide policies — Address obligations that apply across all business units, such as anti-bribery, data privacy, and records retention.
2. Functional or departmental policies — Govern specific operational areas, such as procurement, human resources, or information technology.
3. Regulatory-specific policies — Map directly to a named statute or regulation, such as HIPAA Privacy Rule policies (45 CFR Part 164) or OSHA Hazard Communication Standard policies (29 CFR 1910.1200).

The compliance program components framework treats policy development as one of the seven foundational elements cited by the Office of Inspector General of HHS in its compliance program guidance documents.

How it works

Policy and procedure development follows a structured lifecycle with discrete phases. Skipping phases — particularly risk assessment and legal review — is a documented failure mode in regulatory enforcement actions.

Phase 1: Regulatory mapping
Identify the specific statutes, regulations, and agency guidance documents that govern the organization's activities. Tools such as the Federal Register and agency-specific guidance repositories provide the baseline. This phase overlaps with compliance gap analysis, which identifies the distance between current practice and regulatory expectation.

Phase 2: Risk-based prioritization
Not all regulatory obligations carry equal exposure. A compliance risk assessment ranks regulatory requirements by likelihood of violation and severity of consequence, determining which policies require immediate development and which can be addressed in subsequent cycles.

Phase 3: Drafting
Policy drafts should include: a statement of purpose, scope of applicability (by role, geography, or entity), a clear statement of required conduct, defined responsibilities, and references to applicable regulations. Procedures must include sequenced steps, decision points, responsible parties, and documentation requirements.

Phase 4: Legal and operational review
Drafts circulate through legal counsel and the operational units affected. The goal is to verify regulatory accuracy and confirm practical implementability. Policies that cannot realistically be followed generate their own compliance risk.

Phase 5: Approval and publication
Policies require approval at the appropriate governance level — typically the compliance officer, general counsel, and in material cases, the board or a compliance committee. The compliance officer roles and responsibilities framework assigns final accountability for policy integrity.

Phase 6: Training and implementation
A policy is not operative until affected employees are trained on it. The NIST Cybersecurity Framework (NIST CSF) and NIST SP 800-53 both treat awareness and training as controls that depend on written policy foundations.

Phase 7: Review and update
Policies require periodic review — typically on an annual cycle or triggered by regulatory change. Regulatory change management processes feed directly into this phase.

Common scenarios

Healthcare: A hospital developing a HIPAA-compliant privacy policy must address the 18 categories of protected health information under 45 CFR § 164.514 and establish separate minimum-necessary use procedures for clinical and administrative staff.

Financial services: A broker-dealer subject to FINRA Rule 3110 must maintain written supervisory procedures (WSPs) that map to each category of regulated activity. The absence of WSPs is treated as a standalone violation during FINRA examinations, independent of whether an underlying violation occurred.

Environmental: Facilities subject to EPA Clean Air Act Title V permits (40 CFR Part 70) must develop deviation reporting procedures that specify the responsible party, the 2-day and annual reporting timelines, and documentation retention requirements.

Workplace safety: OSHA's general duty clause and specific standards such as 29 CFR 1910.147 (lockout/tagout) require written procedures that are machine-specific, not generic.

Decision boundaries

Three distinctions govern policy classification and development decisions.

Policy vs. procedure: Policies state what is required; procedures state how to comply. Conflating the two produces documents that are either too vague to enforce or too operationally granular to serve as a governance reference. Regulators — including the DOJ and HHS OIG — treat the two as separate artifacts with separate review criteria.

Mandatory vs. advisory: Some policy documents establish hard compliance obligations tied to regulation. Others establish best-practice standards above the regulatory floor. Labeling matters: an "advisory" document cannot be cited in enforcement proceedings as evidence of required conduct the same way a mandatory policy can. Compliance documentation requirements guidance covers this distinction in detail.

Enterprise vs. site-specific: Organizations operating across multiple jurisdictions often maintain a master policy and site-specific procedures. A national anti-harassment policy governs all employees, while a state-specific procedure addresses California's AB 1825 training mandate (California Government Code § 12950.1) and New York's NYSDHR requirements separately.

The decision to develop a standalone policy versus incorporate requirements into an existing policy framework depends on regulatory specificity, audit exposure, and the organization's compliance monitoring and auditing architecture. High-exposure regulatory areas with dedicated enforcement programs — HIPAA, FCPA, Dodd-Frank — warrant standalone policies with independent procedures and audit trails.

References

• U.S. Department of Justice — Evaluation of Corporate Compliance Programs (2023)
• HHS Office of Inspector General — Compliance Program Guidance
• NIST Cybersecurity Framework (CSF)
• NIST SP 800-53, Rev. 5 — Security and Privacy Controls
• eCFR — 45 CFR Part 164 (HIPAA Security and Privacy)
• eCFR — 29 CFR 1910.1200 (OSHA Hazard Communication)
• eCFR — 40 CFR Part 70 (EPA Clean Air Act Title V)
• Federal Register
• California Legislative Information — Government Code § 12950.1